Talking Data Security and ComplianceKnow your Data, Protect your Data

Archive for the ‘Information Spillage’ Category

When you go swimming, do you creep in slowly or jump right in? I’ve tried both and have decided that jumping in is by far the better way. A few seconds of shock at the temperature change and then I’m swimming happily. Why endure slow temperature change torture when the whole body adjusts quickly?

When it comes to implementing data classification it is also best to jump in fully and involve the entire enterprise. At least, it make sense if you are truly concerned about data security. If sensitive content is shared with a user without TITUS Classification, or should a user without TITUS Classification gain access to sensitive content, the policy enforcement and protections TITUS normally provides would be unavailable. By sparing some parts of your organization from change you are simply leaving data security gaps. So, if you aren’t thinking about deploying TITUS Classification enterprise-wide, here’s a baker’s dozen of reasons you may want to reconsider. (more…)

When we consider securing data from unauthorized users we most often think about the importance of protecting data from people or systems outside of our organization. And yet, many of the companies we speak to are also looking to prevent information from leaking between groups within their organization. While the need for ethical walls (sometimes referred to as “Chinese walls”) may be standard practice within the financial and legal professions, organizations from a variety of sectors have expressed a need to establish an information divide between internal groups. Research and development projects, financial auditing, and lawsuits are just some instances where an organization might seek to separate and restrict employee information sharing.

TITUS Classification Suite makes it easy to control and monitor the flow of information, ensuring the enforcement of ethical walls. The TITUS ECA (Event, Condition, Action) policy engine can take into account multiple system properties to enforce policy, such as the current user’s identity, the data creator’s identity, the content of the information, and the identity of the recipient. In addition to user and system properties, TITUS can automatically apply classification metadata to email and documents, providing further details which can be used to enforce information sharing policies between colleagues.(more…)

Mobile devices make it easy to access information from almost anywhere and to share it with just about everyone on earth. However, by their nature as small and highly portable, mobile devices are also more easily lost or stolen—and with them—the data they contain. For businesses, governments, militaries and other organizations that create and deal with sensitive information, mobile devices pose a huge security risk. While there are many solutions designed to protect data on mobile devices, what if you could delete sensitive data from the device before it is put at risk?(more…)

It’s Data Privacy Day today, and TITUS is participating with other organizations around the world to raise awareness about the need to protect personal data. While much of the focus of Data Privacy Day is on how individuals can protect their data from the mischievous, the opportunist and the criminal, here at TITUS we like to look at it from the other side. How can the bank, the clinic, the department store, the utility, the educational institution, and all of the other legitimate organizations that collect personal details be good stewards of this information?(more…)

As the workforce becomes more mobile, enterprises wishing to facilitate a productive mobile workforce need to ensure that their workers have access to information. This means that mobile users must download and share information that could be detrimental to the organization if it is acquired by an outside agent. Yet, almost weekly we hear of another major breach of an organization’s central security perimeter. If the central data vault can be compromised, it raises the question: how safe is your data on mobile devices?

Mobile devices share information over public networks and they make it easy for users to share information with public cloud storage services. Worse still, they are easily lost or stolen. It makes a lot of sense, then, to leverage a tool like Microsoft Rights Management Services (RMS) to encrypt your most sensitive data—especially when it is shared with mobile users.(more…)

This week, it was reported that just over 35,000 student records were compromised at Riverside Community College District in California when an employee accidentally sent these records to an external email address. As a consequence of this error, students have become anxious about their security and mistrustful of the college administration. To correct the mistake, the college is offering one year of free credit monitoring to any student listed in the leaked database. As with any data breach casualty, Riverside Community College is taking a hit to its reputation and to its budget.(more…)

A few years back my wife and I spent a great deal of time and effort writing a business plan. We researched the market place, analyzed the threat from local competitors and built the financial and resourcing plans that would ensure our success. When we were done, we shared the plan with our potential investors (friends and family).

Happily, when we shared our plan it received an enthusiastic response. Unhappily, it was so well received that one of our friends thought to share our business plan with some of his work colleagues.

“We’ve had a classification policy for 30 years, but we’ve never been able to enforce it.”

Does this quote sound familiar to you? It’s very common for organizations, especially in the commercial space, to have a classification policy but no way to implement it. Instead, organizations often move directly to the data protection stage, investing in large infrastructure projects such as DLP and IRM. But without classification as the foundation of their information protection strategy, it’s impossible for organizations to know what to protect.

Fortunately, implementing a classification policy is actually quite simple. Based on our experience in helping hundreds of organizations, here are our five recommended steps for implementing a classification policy:

Since there are a number of ways to implement Data Loss Prevention (DLP) within an enterprise, it is important to understand the value of different approaches. One approach to DLP is called “Redaction”, which involves blacking out the characters in a message or document, so that future consumers of the document can’t see sensitive portions of the document. The image below shows how a redacted message might look. Redaction has been mostly used in highly sensitive government or military environments for documents, but redaction can also be used in commercial organizations where the loss of sensitive information via email is a concern.

Clearly, in order to effectively redact content, some kind of rules must be applied to determine which portions should be blacked out. Once the sensitive portions have been identified, a number of different actions are usually taken to ensure that the sensitive information is not released. This article focuses on why redaction is an important option to have in an email system, and how it can be automated to help users protect sensitive information.

Data Classification is a Business ImperativeWhite Paper
Download this whitepaper today to learn about data security treads and how you can implement - and enforce - a successful data security strategy in your organization.